404 Not Found Apache

My domain is: app.montor.site

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: montor.site
2: app.montor.site
3: www.app.montor.site
4: www.montor.site


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2 3
Requesting a certificate for app.montor.site and www.app.montor.site

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: app.montor.site
Type: unauthorized
Detail: Invalid response from http://app.montor.site/.well-known/acme-challenge/moHHK_-6hsZK5c-oooU0RxALF44XXRdthj64w7JFH-Y [92.53.124.174]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Domain: www.app.montor.site
Type: unauthorized
Detail: Invalid response from http://www.app.montor.site/.well-known/acme-challenge/dDiIAm59t9xijElLNEbBlPMMzTxHtENSDqB8Zmgi_gs [92.53.124.174]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.17.0

Also I found out that when i create verification file manually - site does not see it. Thanks in advance

1 Like

Hi @stasvinokur, and welcome to the LE community forum :slight_smile:

Please show the output of:
sudo apachectl -S

1 Like

Hi @rg305,
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 203465-ce29106.tmweb.ru. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 montor.site (/etc/apache2/sites-enabled/montor.site-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server app.montor.site (/etc/apache2/sites-enabled/app.montor.site.conf:1)
port 80 namevhost app.montor.site (/etc/apache2/sites-enabled/app.montor.site.conf:1)
alias www.app.montor.site
port 80 namevhost montor.site (/etc/apache2/sites-enabled/montor.site.conf:1)
alias www.montor.site
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like

Please show this file:

1 Like
<VirtualHost *:80>

        ServerName app.montor.site
        ServerAlias www.app.montor.site
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/app.montor.site

        ErrorLog /home/python/ParserSite/logs/error.log
        CustomLog /home/python/ParserSite/logs/access.log combined

        alias /static /home/python/ParserSite/web/parserWeb/static
        <Directory /home/python/ParserSite/web/parserWeb/static>
                Require all granted
        </Directory>

        <Directory /home/python/ParserSite/web/web/>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>

        Alias /.well-known/acme-challenge/ /var/www/app.montor.site/.well-known/acme-challenge/
        <Directory "/var/www/app.montor.site/.well-known/acme-challenge">
                Options None
                AllowOverride None
                ForceType text/plain
                Require all granted
                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
        </Directory>

        RewriteEngine Off
        #RewriteEngine On
        #RewriteCond %{HTTPS} off [OR]
        #RewriteCond %{HTTP_HOST} ^www\. [NC]
        #RewriteRule ^ https://montor.site%{REQUEST_URI} [L,NE,R=301]

        #WSGIDaemonProcess ParserSite python-path=/home/python/ParserSite/web python-home=/home/python/venv
        #WSGIProcessGroup ParserSite
        #WSGIScriptAlias / /home/python/ParserSite/web/web/wsgi.py

</VirtualHost>
1 Like

Please try changing this:

        Alias /.well-known/acme-challenge/ /var/www/app.montor.site/.well-known/acme-challenge/
        <Directory "/var/www/app.montor.site/.well-known/acme-challenge">
                Options None
                AllowOverride None
                ForceType text/plain
                Require all granted
                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
        </Directory>

To this:

  <Location /.well-known/acme-challenge/>
     DocumentRoot /var/www/app.montor.site/.well-known/acme-challenge
  </Location>

  <Directory "/var/www/app.montor.site/.well-known/acme-challenge">
     Options None
     AllowOverride None
     ForceType text/plain
     Require all granted
  </Directory>
1 Like

Thanks for reply! I tried to use it, but i get the following error

AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/app.montor.site.conf:
DocumentRoot not allowed in <Location> context
2 Likes

hmm...

Let's try reversing the logic:
[change the root and then redirect everything else]

  DocumentRoot /var/www/app.montor.site/.well-known/acme-challenge
  <Location "/.well-known/acme-challenge/">
    #do nothing special for challenges / ignore bad requests
    RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
  </Location>
  <Location "/">
    #redirect all other requests to HTTPS
    Redirect permanent "/" https://%{HOST}/$1
  </Location>

[order may matter so put these location sections near the bottom - if you want to handle the others in HTTP]

1 Like

Apache config test is ok, but i get error validating data issue

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: montor.site
2: app.montor.site
3: www.app.montor.site
4: www.montor.site
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2 3
Requesting a certificate for app.montor.site and www.app.montor.site

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: app.montor.site
  Type:   connection
  Detail: Fetching http://app.montor.site/.well-known/acme-challenge/-e6VCm0PUvCNhtqCI9gKnCXNwUnooTkAWXlrntzvSSs: Error getting validation data

  Domain: www.app.montor.site
  Type:   connection
  Detail: Fetching http://www.app.montor.site/.well-known/acme-challenge/EjKIca1G5hh5uYfJh3G4b79ElwPps1mf5oAN9ukay_Q: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
1 Like

Ok let's test the location.

echo "test file 1" > /var/www/app.montor.site/.well-known/acme-challenge/test-file-1234
mkdir /var/www/app.montor.site/.well-known/acme-challenge/.well-known
mkdir /var/www/app.montor.site/.well-known/acme-challenge/.well-known/acme-challenge
echo "test file 2" > /var/www/app.montor.site/.well-known/acme-challenge/.well-known/acme-challenge/test-file-4321

One of those two files should be accessible from the Internet via two of these requests:

http://app.montor.site/.well-known/acme-challenge/test-file-1234
http://www.app.montor.site/.well-known/acme-challenge/test-file-1234

http://app.montor.site/.well-known/acme-challenge/test-file-4321
http://www.app.montor.site/.well-known/acme-challenge/test-file-4321
1 Like

I see only http://www.app.montor.site/.well-known/acme-challenge/test-file-1234 is accessible

1 Like

hmm...
Let's change the embedded 404 to something more obvious.
Change this:

To:
RedirectMatch 409 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"

1 Like

Something isn't working as expected.

  • The redirection match !43 chars fails to catch the "test-file-1234" [which only has 14 chars]
  • The permanent "/" redirection isn't being applied:
curl -I http://app.montor.site/please-redirect-me
HTTP/1.1 404 Not Found
Date: Tue, 20 Jul 2021 18:26:53 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

curl -I http://www.app.montor.site/please-redirect-me
HTTP/1.1 404 Not Found
Date: Tue, 20 Jul 2021 18:25:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Your config must have unseen problems.

[have I mentioned how much I dislike Apache lately?]

1 Like

I will try to rewrite apache config once more, thanks for your help

2 Likes

Hello again, i tried to run with --dry-run and --debug-challenges flags, and its worked.
But when i try to debug challenges without --dry run flag. Certbot does not create verification files. Maybe the problem is in rights?

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for app.montor.site and www.app.montor.site
Performing the following challenges:
http-01 challenge for app.montor.site
http-01 challenge for www.app.montor.site
Using the webroot path /var/www/app.montor.site for all unmatched domains.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
The dry run was successful.
1 Like

I would try using --webroot with certonly instead of --apache.

2 Likes

And it's surprisingly worked!

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/app.montor.site.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for app.montor.site and www.app.montor.site

Successfully received certificate.
1 Like

Wonderful!
[not surprising to me :slight_smile:]

Cheers from Miami :beers:
#SOSCUBA

1 Like

Thanks a lot! :grinning_face_with_smiling_eyes:

2 Likes